Gi Firewall for mobile subscribers

Wed Apr 10 13:48:10 UTC 2019

On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <amos at oasis-tech.net> wrote:

> Hello NANOG,
>
>
>
> We are discussing internally and wanted to get more opinions and
> especially more data on what are people actually doing.
>
> We are running an ISP network with about 150K fixed broadband users,
> running dual stack (IPv4 behind CGNAT).
>
> On the ISP network  IPv6 is simply routed, and is firewalled on the CPE.
>
>
>
> This network added mobile services about a year ago, also dual stack (we
> have no control on the mobile devices so we were too concerned to choose
> IPv6 only access).
>
> We have an ongoing discussion about Gi firewall (adding a firewall between
> the subscribers and the internet, allowing only subscriber initiated
> connections), for the IPv6 traffic.
>
>
>
> The firewall is doing very little security, the ruleset is very basic,
> allowing anything from subscribers to the internet and blocking all traffic
> from the internet towards the subscribers.
>
> We have a few rules to limit the number of connections per subscriber (to
> a relatively high number) and that is it.
>
>
>
> One of the arguments in favor of having the firewall is that unsolicited
> traffic from the internet can “wake” idle mobile devices, and create
> signaling (paging) storms as well as drain user batteries.
>
>
>
> On the other hand, allowing only subscriber initiated traffic is mostly
> achievable using ACLs on the mobile core facing routers, or is it with the
> growing percentage of UDP traffic ?
>
>
>
> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all
> behind CGNAT which don’t allow internet initiated connections.
>
>
>
> Anyway, we are very interested to know hear more opinions,  and especially
> to hear what are other mobile operators do.
>
>
>
> Regards
>
>
>
> Amos
>
>
>

Step outside the theoretical and model your real threats. Attack yourself
of pay someone to do a real pentest.

1. Does a hacker know the ipv6 of your subs? How frequently does the sub
get a new 128 bit address?

2.  What does the hacker get from a paging storm?  Economic benefit ? Lolz?
Has a malicious paging storm ever happened in the real world?  What level
of effort would be required to trigger that?  Is that level of effort more
or less than it would take to tip over a stateful firewall (session
exhaustion, pps attack, alg bugs, vulns in the fw
https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
)

3. Assuming the hacker gleans the address of the sub, what ports are open
in the real world? What can a hacker connect to and accomplish?

>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190410/c54a83c6/attachment.html>